Windows Enterprise Desktop

In case you didn’t already know, MS issued a security update in April, 2014 (KB 2919355) that *must* be installed on certain Windows 8.1 systems for them to continue to receive security updates that will be issued starting with next week’s set of “Patch Tuesday” updates (for more info, see my earlier blog posts from 4/8, 4/21, and 5/7). This applies primarily to those systems that receive updates from Windows Update or Microsoft Update, and won’t affect systems that use the Windows Server Update Services like those customarily managed in-house by most larger-scale customers with Microsoft Software Assurance. However, because ongoing issues with KB 2919355 are apparently not yet resolved (Woody Leonhard has written in some detail about what’s going on here for InfoWorld in stories on 5/5 and 5/8) even though enterprise customers have until August to “patch up” to KB 2919355, this situation bears watching.

First up for next Patch Tuesday: a critical IE fix for all supported Windows versions. What happens to those with KB2919355 problems?

Next week, things are about to get more interesting, as the Advance Notification for Microsoft’s Security Bulletin for May 2014 includes an update rated “Critical” for Internet Explorer on all supported Windows versions (Vista through 8.1 Update 1 on the client side, Server 2003 through 2012 R2 on the server side). This security patch designation virtually mandates its immediate application and raises the interesting issue of what happens to those Windows 8.1 Update installations that experienced KB2919355 issues that stymied its successful application? MS has already said that a failure to install means that subsequent patches won’t be applied, so now it remains to be seen if MS will stick to its guns in light of reports of numerous and serious impediments to successful installation on some Windows 8.1 systems.

Longer term, this also poses the same potential sticking points for enterprise users not yet under the gun to apply KB2919355 immediately, but who must also toe the line by the time the August updates get released. More realistically, given typical enterprise deployment schedules, this “deadline” stretches into November. That’s because many large organizations schedule patches and updates only once-per-quarter update on some designated “update weekend,” often a 3-day weekend, to give IT teams an extra day to cope with potential problems that sometimes arise during such activities whenever possible.

This one’s going to be interesting all the way around, folks, both for those facing the immediate cut-off date next week, as well as for those organizations with Windows 8.1 deployments big enough to fall under the August deadline. Stay tuned for more results and discussion as the situation grinds its way to some kind of conclusion or another.

There’s been quite a bit of flap lately about the Windows 8.1 Update (as in the “quasi service pack”, KB2919355) released in April, 2014. It seems that many systems encounter problems with its installation, not all of which are easily overcome. The problem with the situation is that for those who get their updates from Windows Update or Microsoft Update, its installation is required to keep getting updates from those sources, starting with the upcoming patches for May. Right now, if you look at the update history in a multiply-patched Windows 8.1 machine, you might see something like this:

The 4/22 date indicates that KB2919355 was re-patched, as does history starting over following its re-installation.

On the other hand, a normally patched Windows 8.1 Update system will show an update history that looks like this:

The 4/10 date indicates that KB2919355 needed no fix-ups, as does evidence of history prior to installation.

Why am I telling you this? Because I read a troubling article from Windows-meister Woody Leonhard for InfoWorld this morning. Entitled “Microsoft reissues botched Windows 8.1 Update KB 2919355,” it explains some of the difficulties that the installer used for the update (not the update components themselves) have caused for various Windows users. Other interesting coverage is available from the Windows 8 Forums as well, to follow up on that article.

The upshot is that users who experience difficulties in installing upcoming Windows Updates should turn to Microsoft’s Deployment Image Services and Management command-line tool (dism.exe) to see if it encounters image cleanup problems it can’t fix. Here’s how: run this command at an admin-level command prompt: dism /Online /Cleanup-image /Restorehealth. If it completes correctly, you may have other problems to solve; if it fails with error codes 0X800F081F, 0X80073712, or 0X80071A91 (among others), you have issues with the KB2919355 installer itself. In that case, Windows Update should offer to (re)install 2919355, which fixes most such problems. Otherwise, it may be necessary to roll back to a pre-4/10/2014 backup so you can try again. Sheesh!

In MS-speak, MDOP stands for the Microsoft Desktop Optimization Pack. It’s a collection of tools and facilities that MS makes available to its Software Assurance customers (a category that includes many, if not most, enterprise-class Windows users). Here’s an iconic view of what’s in MDOP, which I’ll follow with some explanations about what’s new and potentially interested in the most recently released version for 2014:

The major elements of MDOP include various virtualization tools, management tools for GPOs and BitLocker, and a peachy Diagnostics and Recovery Toolkit (aka DaRT)

Some of the elements of MDOP have been around for some time now, including a variety of different virtualization and management tools. The latest release became available last week on May 1, and adds updates to its Application Virtualization components that include enhanced application publishing capabilities, improvements to launch and refresh elements, plus improvements intended to make it easier to test and deploy new versions of virtualized applications. BitLocker Management and Monitoring (MBAM) tools also come in for some interesting improvements too, including added support in Windows 8.1 for FIPS 140-2, improved compliance and enforcement tools, and better integration with load balancing for Web components, and deployment in SQL Server failover clusters. Myself, I’m particularly keen on the Diagnostics and Recovery Toolkit (aka DaRT), which includes tools designed to boot and repair unresponsive Windows systems, along with a variety of enhanced and advanced recovery tools designed for professional use in IT/tech support environments.

One more thing: MSDN subscribers can download and evaluate MDOP as well (as can TechNet subscribers as well), though the 2014 version isn’t yet available for download there at the moment. However, I imagine it should show up soon in both places.

You can call me “slow on the uptake” when it comes to figuring out how to take best advantage of advanced Windows 8 technologies if you like, but I’ve only recently realized that the best way to take advantage of SSDs and Intel’s Rapid Storage Technology and Rapid Start Technology requires building systems with disk architecture configured for RAID from the get-go. I’ve been using AHCI (the advanced host controller interface) as my default with SATA drives for years now, but have only recently learned how to use Rapid Start and a second SSD to boost Windows’ boot-up and shutdown behaviors (and times).

The default UEFI/GPT setting works fine for most smaller SSDs, but…

Having tried numerous proposed methods to switch an existing install from AHCI to RAID without success now, I’m reasonably convinced that selecting RAID in the BIOS for the motherboard’s (or system’s) SATA configuration setting prior to performing a Windows 8.* install (which means a UEFI install of Windows 8.1 on a GPT disk layout these days — at least, on most of my systems) is absolutely the right way to go. My desktops increasingly support two or more SSDs nowadays, and my Lenovo laptops accommodate mSATA SSDs as well as 2.5″ units of the same type, which means all of those systems can support both forms of Intel RST (Rapid Storage Technology and Rapid Start Technology as well). Even if you don’t use a RAID array of any kind, Rapid Start doesn’t work unless you configure the boot drive as RAID rather than AHCI (and with an SSD for the boot drive, there’s no real need to pair two drives together to boost performance for conventional hard disks).

There’s another potential wrinkle in this process that’s worth further reading and study — namely, the partitioning scheme when building a UEFI/GPT based boot/system drive for Windows 8.*. This is admirably documented in the TechNet article entitled “Configure UEFI/GPT-Based Hard Drive Partitions” but there is one proviso that may be worth considering — namely that default partition layouts may not always work exactly as expected. Let me explain: by default, Windows 8.* allocates 350 MB to the Windows Recovery Environment (WinRE) partition, 100 MB to the EFI System Partition (from whence Windows boots), and the rest of the space available on the drive to the OS partition where the visible file system will reside. On smaller SSDs, this allocation appears to work pretty well. But I’ve noticed on larger SSDs (256 GB or bigger) and conventional drives (most of which exceed 500 GB these days), some systems encounter problems when running Windows File History or when capturing a system image (using the System Image Backup option on the File History control panel element). That’s because they write such backups through the WinRE partition to the target drive, and may suffer when there’s insufficient free space in that partition to accommodate backup write activity. In such cases, you’ll want to override the default partition layout for your system, and allocate 500 GB of space (or more) to WinRE (please also follow the directives from the aforecited TechNet article about free space in that partition as well). A disk partition script (using DiskPart.exe) is available with the TechNet article, and worth both reading and using if you decide to depart from the defaults that Windows 8.* uses. An equivalent answer-file setup for SysPrep is also provided there as well.

There are many ways to clean up unwanted software on Windows PC using either built-in utilities such as the “Programs and Features” element in Control Panel (formerly known as “Add/Remove Programs”), or by using third-party tools such as the proverbial “PC Decrapifier.” But until the introduction of the Sourceforge project called the “Windows 8 App Remover,” there was no simple and straightforward way to remove so-called Metro (aka “Modern UI” or “Windows Store UI”) apps from the tiled desktop that is still featured in all currently available Windows 8 versions (Windows 8, Windows 8.1, and Windows 8.1 Update [Build 9600]). The download is an .exe file that you can run in any administrator level account, and produces a display like this one:

You must remember to match the version selector (upper left) to your installed or targeted
version of Windows 8 for this program to work.

Once you tell the program which version of Windows you’re using (a drop-down box pick from the upper left corner of its program window as shown in the preceding screen capture), it gives you the option of removing any of the apps installed on the version of Windows you target. By default the program picks the “Online” image, which means it targets the version of Windows that’s running on your PC. You can also target Windows Image (.wim) files elsewhere in your file system), but only after mounting them to a folder on some drive available to your PC (changes are saved only when you unmount the image you target following use of this program). And while you can uninstall anything you like using this tool, you can only restore these apps by downloading and installing them from the Windows Store thereafter (not as easy as turning Windows features on and off using “Programs and Features,” but not a serious hardship, either). Because the tool works by actually removing binary packages from a Windows 8 image (.wim) file, reinstallation is mandated because the program bits are gone, gone, gone from whatever version of Windows 8 you use it on.

On several of my test machines, I elected to remove some of the Bing apps (Finance and Sports, which I never use), along with Health and Fitness, Reading list, XBOX Games, and Zune Music. This does produce some modest disk space savings on the system drive, and it will result in the disappearance of app tiles from the Windows Store UI. Mostly, it helps to get rid of clutter on the Metro “home page” for Windows 8 versions, and keep you from dealing with apps that you might not want or never use. A nice utility, all in all, Win 8 App Remover is best understood as a GUI wrapper for the Windows Deployment Image Servicing and Management tool, which runs at the command line as DISM.

Anybody who’s been reading this blog for awhile knows I’m a great fan of master utility builder Nir Sofer, the Israeli software development dynamo who’s behind the terrific NirSoft.net website. Today’s blog pays homage to another of his little gems: this one is named WifiInfoView, which Sofer describes as a “Wi-Fi Scanner for Windows 7/8/Vista.”

The WifiInfoView Utility has lots of useful information to show about WiFi networks in your vicinity (click image to view full-size version).

I like to use this tool to observe what my wireless router (“Narbor”) is showing to the world at large, and to get a sense of what else is active my wireless neighborhood. I’m a little embarrassed to observe that somebody nearby (“Jorge54”) has already beat me to deploying 802.11ac. In fact, this spurred me on to order the highly-reviewed and -regarded ASUS AC1900 Dual Band Gigabit Router from Newegg. I also like to use this tool when traveling to scan my wireless environs to see what kinds (and speeds) of connections might be available to me (on more than one occasion, I’ve discovered a higher-speed wireless Guest network than the one my host of the moment advised me to login into).

The WifiInfoView program icon describes its function visually and concisely.

The utility occupies a mere 235 KB of disk space, with just under 300 KB for the entire collection (which includes configuration, help, and readme files, in addition to WifiInfoView.exe). This makes it well-suited for inclusion on any admin’s traveling utility USB flash drive (as is the case for most of Mr. Sofer’s utility offerings), or for routine installation for power users’ (or other interested parties) laptop, notebook, or tablet PCs. Please dash out and grab yourself a copy today, then spend a few minutes checking out the rest of the Nirsoft collection. You won’t be disappointed.

This interesting post last week on the Windows PowerShell Blog is entitled “A World of Scripts at your Fingertips — Introducing Script Browser,” and explains how you can download the aforementioned item to run inside the PowerShell ISE (Integrated Scripting Environment). This grabs a Microsoft Software Installer (.msi) file that’s 1,390 KB in size, and runs a search tool from inside the ISE to help users browse through over 10,000 PowerShell scripts available from TechNet, the PowerShell team at Microsoft, and the folks at “the Garage.”

Though the screen cap is too small to read in detail, you can consult the full-size original for easier deciphering.

Adding this tool to your PowerShell ISE environment produces two additional add-on tabs in the pane at the right-hand side of the UI, as shown above. The left-most tab is labeled “Script Browser” and provides entry to a search dialog like the one shown below:

The search box pane permits users to search and peruse elements from a huge collection of scripts; very handy.

You have the ability to filter searches by resource (PowerShell, Microsoft, Community), various ways to categorize listings, and easy access to summary info and download links for each search hit.

The script analyzer, which appears in the second tab from the left, labeled “Script Analyzer,” provides access to marked up script listing data in the left-hand pane, and error messages in the right hand pane, which makes it an excellent run-time debugging tool.

All in all this is a powerful, helpful, and free tool for script-heads to download and use. Highly recommended.

When I reported here on April 8 that the “Windows 8.1 Update 1 is NOT Optional,” I was working from the then-current and correct understanding that MS would require all users to apply the Spring Update to Windows 8.1 to continue to receive security updates, patches, and fixes via Windows Update. I also observed that it was time for enterprises to “Get Busy” because the testing and vetting cycle in many larger organization normally exceeds the 5 weeks or so that Microsoft was allowing at the time. I guess enough enterprise customers must have remonstrated with Microsoft, because the company has now relented on its timing for requiring the application of the Spring Update for business customers.

Last week, in fact, Mary Jo Foley reported over at ZDNet that “Microsoft gives business users more time to install Windows 8.1 Update,” wherein she reported that for users who manage their updates via WSUS, Windows Intune or System Center Configuration Manager, they now have until August 12, 2014, to apply this update before it becomes mandatory. End Users who rely on Windows Update are still bound to the original May 12 deadline, however.

In the meantime, MS will make all Patch Tuesday items available as standalone installers via the Knowledge Base so that enterprise class users will be able to pick and choose which items that may be released on the Patch Tuesdays in May, June or July of this year that they want to apply, even in the absence of Update 1. It just goes to show you that MS will indeed listen to its biggest customers, especially when they hue and cry is both loud and frequent enough to really get their attention. Thus, you may now return to your normal testing and vetting schedules, ladies and gentlemen in the corporate testing and deployment teams!

As I’ve observed many times in this blog over the years, I’m a hopeless tinkerer. This even applies to my production system when the whim strikes and time permits. My current production machine features the following collection of components (among others): an Asus P8X68-V Pro Gen3 motherboard, an i7-2600K CPU, 32 GB RAM, and a pair of OCZ Vertex SSDs (an older 128 GB Vertex 3 and a newer 256 GB Vertex 4 that serves as the boot/system drive). I hope I can be forgiven for wanting to add the Intel Rapid Start Technology to this machine. But because it was installed with the SATA drives set up as AHCI not RAID, I decided to try a post-install conversion technique I read about online to switch from the former to the latter (the technique required a reboot, a switch to RAID in the BIOS, and a safe boot to give Windows the chance to load new drivers). Long story short: it didn’t work and I found myself compelled to repair my now unbootable machine.

Don’t be inclined to think of a system refresh as the same as an image restore of the system drive: there are some key differences.

Before starting down this road to potential perdition, I made two “backups” of the system disk: one using SlimImage Utilities’ RecImgManager, the other using the “System Image Backup” facility now present in Windows 8.1 as an add-on feature in the File History widget in Control Panel. Just for grins, I started my recovery efforts with the Refresh option for which RecImgManager had created my most recent refresh image, to see how it would all pan out.

It’s interesting that RecImgManager describes the operation of capturing a refresh image as an explicit “Backup” operation, when in fact that’s not exactly how it works. To be fair, it’s close, but it’s also no cigar, either. Here’s what I found that was different after refreshing the image I captured just before beginning my “convert-to-RAID” manueuvers:

1. The restore operation informed me that I would need to reinstall Kindle reader, OneDrive, and WinDirStat once the restore was complete. This proved only partially correct, as both OneDrive and WinDirStat were present and working when the refresh image came up on the PC. Kindle was indeed missing.
2. I had to reload the printer driver for my Samsung ML-2850 laser printer into the refreshed image.
3. When I ran Outlook again for the first time after the refresh took over, I had to reconfigure the whole darn thing (account set-up, archive handling, e-mail download behavior, switch to my preferred archive PST file, and so forth) all over again.
4. Browser plug-ins for Chrome, IE, and so forth had to be re-examined and enabled/disabled as per prior selections.
5. When I ran 8GadgetPack for the first time, it had to be set up once again, as if for the first time.

It’s possible that I might have encountered a few more things had I stayed with the refresh image longer than the two hours I decided to devote to that experiment. After that, I booted up using my Windows 8.1 Install UFD, elected the “Repair” option, and overwrote the refreshed image with my preserved system image captured earlier that morning. What I got back then was exactly what I wanted — namely, my current runtime environment set up, configuring, and working just the way it was when I captured that system image, and requiring absolutely no fiddling about whatsoever to match prior system behavior, configuration, and so forth.

It all goes to show that a system image backup and restore represents the ability to return to the status quo that prevailed at the time of the image capture, and that a system refresh comes close to doing the same, but isn’t quite exactly identical to the system image restore operation. In some cases, especially where Windows flakiness is involved and replacement of system/boot drive files outside the scope of “OS components” is undesirable or unacceptable, a refresh clearly makes more sense than restoring an earlier system image. But it’s not accurate to think of image restore and refresh as equivalent or identical. They are not, and savvy admins and power users would do well to recognize this and take it into account when formulating Windows recovery strategies and processes. The important distinction is that where Refresh does preserve files and some settings outside the scope of OS components, some additional work will be required to get refreshed system exactly back to where it was at the time the custom windows image (.WIM file) for the underlying Windows installation was captured.

In spelunking around on TechNet, I’ve come across an interesting element in the latest Windows Assessment and Deployment Kit (ADK). It’s called WIMBoot and it appears to explain quite nicely how it is that Microsoft has been able to trim down the size of Windows 8.1 Update 1 installations. In fact MS has a pair of interesting illustrations that *show* how this works, and an explanation as to why a smaller image and runtime environments result. The image pair is best understood as a kind of “before” and “after” scenario, in light of this explanation from the WIMBoot Overview (taken verbatim from its “How does it work?” section):

In a standard Windows installation (without WIMBoot), every file is written to disk at least twice: once in the compressed form for recovery, and once in the uncompressed form in the applied image. When the push-button reset feature is included, the compressed image remains on the PC. Having both the Windows installation and recovery image on the device can take up a lot of disk space.

When installing Windows with WIMBoot, you write the files to the disk only once, in compressed format. Next, you apply a set of pointer files onto the Windows partition that point back to the compressed files in the Images partition. When the user adds files, apps, or updates, they’re added onto the Windows partition.

In WIMBoot, your WIMBoot image is also used as the recovery image, saving disk space.

Here are the symbolic (not-to-scale) disk layouts for the before and after scenarios:

Overall savings on disk footprint can be pretty substantial, with reductions in size of 6 GB or greater typical. This is essential for smaller configurations, particularly for tablets with 32 GB of storage space or less, but it could also be nice for tablets, ultrabooks, or notebooks where storage space may still be at a premium. For more information on how to set up and build such installations, see also the following TechNet elements:

I can’t wait to try this out, and see how it goes. I also plan to contact my buddies as Paragon Software to see if they might not be working on some tools to help automate this process. If you know of other tool providers with similar work underway, please drop me an e-mail.